PC compromised by Trojan?

Started by zimmerframe, Mar 19, 2010, 12:45:21

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

zimmerframe

I think my PC has been compromised by a Trojan, possibly WIN32InjectXP[Trj]

Wednesday evening I was browsing LP record revue sites after running a Google search for a particular LP.  One site I visited caused my Windows firewall to switch off.  This immediately caused me concern.  I was able to switch it back on again.  I restarted my PC and windows hung without loading my desktop.  I did another restart and my desktop loaded but windows firewall switched itself off again.  I tried logging into a secure website, (Barclays Stockbrokers) and noticed that my normally saved password information had been cleared.

I ran Spybot Search & Destroy and Adaware.  Neither found anything.  I looked in Administrator Tool/ Security logs and my Antivirus, (Avast) had logged a suspect Trojan, listed above.  I ran a full scan and it found the above Trojan and gave me the option to clean it which I selected.  I allowed the scan to continue overnight but the scan froze at 65%.

This morning I again tried to start my PC and Windows hangs before the desktop is loaded.  I can access Task Manager with Ctr/Alt/Del and can see running processes. Finally before leaving for work this morning, I tried starting in Safe Mode, which I was successfully able to do.

My PC is running WinXP SP3 fully patched up.

Any suggestions?  I could try running a scan in Safe mode maybe?  Are there any on-line scan tools I could try, assuming I can access them from safe mode?



If The World Didnt Suck, We'd all Fall Off

Rik

It would be worth getting hold of a copy of Super Anti-Spyware and Malware bytes, Zim, see if they can do the deed for you.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

zimmerframe



If The World Didnt Suck, We'd all Fall Off

Simon

I would also recommend the above.  AdAware and Spybot are quite outdated now.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

zimmerframe

My worry is that if this is a W32 inject, it has most likely compromised the registry too.  Are these removal tools able to cope?

I also suspect that doing a roll back will be of no use if Windows files have been changed.  It will just re-load itself


If The World Didnt Suck, We'd all Fall Off

Simon

I think they should remove it fully, Zap.  You could also try the free version of PrevX.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

zimmerframe

Cheers folks, will try tonight


If The World Didnt Suck, We'd all Fall Off

Glenn

They may take an hour or so to run, so be patient.
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

zimmerframe

Success; finally. 

After 5 hours of scanning, rescanning etc etc.  I have finally rid my machine of what turned out to be several malware bots that had installed themselves on my PC.

Even after running scans using the two tools above, as soon as I restarted my PC, they reinstalled themselves.  I resorted to not restarting after I had run a scan and then rolling back a week.  I then rescan and finally they were gone.

For reference this was what was logged.

Malwarebytes' Anti-Malware 1.44
Database version: 3885
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

19/03/2010 20:43:16
mbam-log-2010-03-19 (20-43-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239630
Time elapsed: 26 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


I am amazed and appalled at how easily they installed themselves on my PC.  I wasn't visiting some lurid dodgy site, (well it seems it was dodgy) but was viewing what I thought was an Innocent record review site.  It just shouldn't be that easy to spread this stuff :mad:




If The World Didnt Suck, We'd all Fall Off

Tacitus

Before the usual crowd get round to this and we start the, 'Mac security is an oxymoron' posts, I thought I'd post it  first:  Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

Just out of interest how many Mac users have actually seen stuff in the wild?  In 18 years of Mac use I've only seen the Autostart worm back in System 7 days.

I imagine the crowd over on Engadget are having a field day with this.


Gary

Quote from: Tacitus on Mar 20, 2010, 07:43:26
Before the usual crowd get round to this and we start the, 'Mac security is an oxymoron' posts, I thought I'd post it  first:  Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

Just out of interest how many Mac users have actually seen stuff in the wild?  In 18 years of Mac use I've only seen the Autostart worm back in System 7 days.

I imagine the crowd over on Engadget are having a field day with this.


Mozillas old security chief now works for Apple, Windows Syder got things moving at Mozilla so hopefully things will move faster there, and 20 holes,  ::) as to which platform...hell I like Apple for more that the security aspect, I'm not deaf dumb and blind to such things as some Apple fans are,but as Tacitus said OSX so far seems to have a good track record, and I'm sure Apple will have some fixes in OSX 10.6.3 and some patches out for older OS's and weaks for the new one as well, just like Microsoft etc
Damned, if you do damned if you don't

DorsetBoy

Quote from: zimmerframe on Mar 19, 2010, 23:43:13
Success; finally. 


I am amazed and appalled at how easily they installed themselves on my PC.  I wasn't visiting some lurid dodgy site, (well it seems it was dodgy) but was viewing what I thought was an Innocent record review site.  It just shouldn't be that easy to spread this stuff :mad:




Zimmer, this is why I NEVER trust my machines to Windows Firewall , it has no defence. Avast though quite good has let me down in the past, I went back to ESET products which are excellent at preventing drive by installs like this. My lads machine was always getting infected with the free AV's on board. Eset Smart Security keeps it clean and he is for ever visiting the free download/screensaver/image sites where the garbage resides.

Gary

Quote from: DorsetBoy on Mar 20, 2010, 08:35:37
Zimmer, this is why I NEVER trust my machines to Windows Firewall , it has no defence. Avast though quite good has let me down in the past, I went back to ESET products which are excellent at preventing drive by installs like this. My lads machine was always getting infected with the free AV's on board. Eset Smart Security keeps it clean and he is for ever visiting the free download/screensaver/image sites where the garbage resides.
XP's Firewall was never good Though was it? Vista and Windows 7 had a more robust one in place, which I think are yet to be breached in this way, though I could be wrong, using the full version of Prevx and just Nod32 and windows defender I was fine on Vista, I found the Eset firewall to be somewhat lacking, and buggy when it came to UPNP which some people do use, not everyone can port forward. People generally like to set and forget and Esets automatic mode is not the best. Software firewalls are a pain tbh and cause more issues than they are sometimes worth, also WIN32InjectXP is dedicated to Windows NT,2000, XP and these OS's are very long in the tooth now.

I think using a newer OS helps, and between windows firewall and a hardware firewall you should be ok, also what proactive defence you have counts, that should really nab something like this trojan before it does any damage in the first place.
Damned, if you do damned if you don't

zimmerframe

I shall certainly be reviewing my security.  My PC sits behind a Netgear router which has hardware firewall capability.  That and Windows firewall are obviously not enough.

I've just noticed that Barclays are offering Kaspersky 2010 free to their on-line bank users.  Its something I heard of in a good light, is it a good product?

like I said, what amazes me is the ease at which I was infected.  I was savvy enough to realise straight away that something wrong had happened.  How many thousands, (millions?) dont and are infected? 


If The World Didnt Suck, We'd all Fall Off

Rik

Gary used to use Kaspersky, Zim, he should be able to give you a full rundown on it's capabilities.

The big problem for all of us is the great uneducated mass of people who 'drive' infected computers around the 'net, not realising the harm they are doing. :(
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: zimmerframe on Mar 20, 2010, 11:10:48
I shall certainly be reviewing my security.  My PC sits behind a Netgear router which has hardware firewall capability.  That and Windows firewall are obviously not enough.

I've just noticed that Barclays are offering Kaspersky 2010 free to their on-line bank users.  Its something I heard of in a good light, is it a good product?

like I said, what amazes me is the ease at which I was infected.  I was savvy enough to realise straight away that something wrong had happened.  How many thousands, (millions?) dont and are infected? 
I used to use it but it had issues, it can slow browsing down very badly, also you need to remove every source of your old antivirus out of your machine, uninstall Malwarebytes, Superantispyware etc before installing it as it does not like those programs, tbh I found it very buggy and problematic even though its detection ratings are great, Norton 2010 has just as high a detection rating, is more user friendly and does not slow your browsing down and scans faster, I know this sounds odd but I would go for Norton rather that Kaspersky, its simpler to use just as robust, and is not like the Norton of old days. Both programs got a 99% score in AV Comparatives, and I would not put the Kaspersky suite on a windows box of mine again, it alters the file structure permanently by messing with the NTFS stream, I would go for Norton, fast light and very reliable in these times, don't be put off by Norton from years back, they are not the same beast.
Damned, if you do damned if you don't

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Tacitus

Quote from: Gary on Mar 20, 2010, 08:20:27
Mozillas old security chief now works for Apple, Windows Syder got things moving at Mozilla so hopefully things will move faster there, and 20 holes,  ::) .......

I saw that about Mozillas security chief moving to Apple.  Maybe they are starting to revamp their security procedures.  Although they are moving in the right direction with address randomisation and so on, they still have a long way to go. 

It's interesting that although Miller keeps finding security holes he has been quoted (can't find the link) as saying OSX is 'safer', possibly due to the security/obscurity myth.  Security has gone from the realms of the schoolboy hacker to organised crime and it can only get worse.

Den

I had Kasperski on both my desktop and my laptop using Windows 7, it caused so many problems on the desktop I uninstalled it and tried a trial of Norton 2010 for 3 months, The difference was outstanding and I can not imagine moving back so I have now bought the paid for version of Norton Security for both machines.   :laugh:
Mr Music Man.

zimmerframe

Unfortunatly, my problems have compounded.  The payload must have had a virus along for the ride too.  WIN32:Malware-Gen.  It has now locked my PC down totally.  I cant log on, even in safe mode. My PC immediatley logs me off again.

Any fix is further compounded by the fact that my drives are RAID'ed.  RAID 0.  So I cant remove the drive to put in another PC to work on.

I tried using system restore.  Big mistake,  That had also been infected.  I did a virus scan using AVAST that found the above virus but could not remove it.  Since trying that, my PC has locked down.

What next, re-format?  If so, maybe time to move to Windows 7


If The World Didnt Suck, We'd all Fall Off

Glenn

Will it start in safe mode at all?
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

zimmerframe

Starts in safe mode but cant log on.  It auto logs off again, even Admin role is affected. 

Sunday night I passed my machine onto a freind who works in IT.  Its beyond my capabilities now.  I think he will attempt either setting up a second RAID drive or pu it on a temporary network in order to access my machines registry which has been changed by removing the virus.

Research since on some forums shows that I am far from being alone in having this problem.  Solutions do exist to fix so I'm still hopeful that the machine is still recoverable and will not require a format.


If The World Didnt Suck, We'd all Fall Off

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.